ePortfolio Messaging Incident – 4th November 2015

The NHS ePortfolios system contains a facility called “messaging”.  This facility allows users of NHS ePortfolios to send messages to other users without leaving the NHS ePortfolios system. In addition to allowing trainees and their supervisors to exchange messages, the facility also allows programme directors and administrators to communicate with groups of users to which they have been assigned permissions.  No messages are filtered/censured based upon content.

The NHS ePortfolios messaging facility is not an email replacement or email relay service.  Users’ email addresses are not required for the use of, and not disclosed by, the messaging facility.  If a user receives a message within this facility whilst not logged in, the NHS ePortfolios system will send a one-time notification to the users’ email address informing them that they have an unread message they may wish to check when they next-login.

On the 4th November at 10:18am, an NHS ePortfolios user with the “Physician Administrator” role, chose to use the NHS ePortfolios messaging system to send a message with two attachments to all users of the “Physician Trainee” role within the location to which they have been assigned permission (approx. 550 recipients).

The ability of the user to send a message to this audience is by design – no security system was subverted to allow this message to be sent and the message was not sent/delivered to an audience to whom the user did not have appropriate permissions.

Upon receipt by users, the “sender name” was correctly displayed as that of the user that sent the message – the sender name was not obfuscated in any manner.